hxxp://google | Triage

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\adawareelam\ImagePath = "system32\\DRIVERS\\elamtd.sys"	MsiExec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	ClientLauncher.exe

Executes dropped EXE 9 IoCs

pid	Process
2860	NoEscape.exe (Creepypasta).755708.exe
2800	ClientLauncher.exe
2216	UpdaterLauncher.exe
4880	UDL-client.exe
4176	chrome.exe
4936	Updater.exe
6980	ffprobe.exe
5652	adawarewebinstaller.exe
1616	wsc-service.exe

Loads dropped DLL 28 IoCs

pid	Process
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
5652	adawarewebinstaller.exe
5652	adawarewebinstaller.exe
6736	MsiExec.exe
1952	MsiExec.exe
1952	MsiExec.exe
7044	MsiExec.exe
7044	MsiExec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adaware Antivirus = "\"C:\\Program Files\\Avanquest\\Adaware Antivirus\\application\\14.3.43577.3505\\Adaware Antivirus.exe\" --start-minimized"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UDL\Client\3.6.30.416\api-ms-win-crt-multibyte-l1-1-0.dll	NoEscape.exe (Creepypasta).755708.exe
File opened for modification	C:\Program Files (x86)\UDL\Client\3.6.30.416\pylibs\pyexpat.pyd	NoEscape.exe (Creepypasta).755708.exe
File created	C:\Program Files (x86)\UDL\Client\3.6.30.416\pylibs\_zoneinfo.pyd	NoEscape.exe (Creepypasta).755708.exe
File created	C:\Program Files (x86)\UDL\Client\3.6.30.416\api-ms-win-core-processthreads-l1-1-1.dll	NoEscape.exe (Creepypasta).755708.exe
File created	C:\Program Files\Avanquest\Adaware Antivirus\application\14.3.43577.3505\memory_boost.dll	msiexec.exe
File created	C:\Program Files\Avanquest\Adaware Antivirus\firewall\3.0.0.34\ignis.sys	msiexec.exe
File opened for modification	C:\Program Files (x86)\UDL\Client\3.6.30.416\msvcr100.dll	NoEscape.exe (Creepypasta).755708.exe
File opened for modification	C:\Program Files (x86)\UDL\Client\3.6.30.416\api-ms-win-core-synch-l1-2-0.dll	NoEscape.exe (Creepypasta).755708.exe
File opened for modification	C:\Program Files (x86)\UDL\Client\3.6.30.416\extractors-regexes-post.json	NoEscape.exe (Creepypasta).755708.exe
File opened for modification	C:\Program Files (x86)\UDL\Client\3.6.30.416\api-ms-win-crt-convert-l1-1-0.dll	NoEscape.exe (Creepypasta).755708.exe
File created	C:\Program Files\Avanquest\Adaware Antivirus\active-threat-control\1.58.364.0\atccore.dll	msiexec.exe
File created	C:\Program Files (x86)\UDL\Client\3.6.30.416\api-ms-win-core-synch-l1-2-0.dll	NoEscape.exe (Creepypasta).755708.exe
File created	C:\Program Files\Avanquest\Adaware Antivirus\antimalware\3.0.1.297\bdquar.dll	msiexec.exe
File created	C:\Program Files\Avanquest\Adaware Antivirus\active-threat-control\1.58.364.0\bdnc.dll	msiexec.exe
File created	C:\Program Files\Avanquest\Adaware Antivirus\traffic-interceptor\1.0.3.62\smtp.dll	msiexec.exe
File created	C:\Program Files (x86)\UDL\Client\3.6.30.416\extractors-highest-priority-name.json	NoEscape.exe (Creepypasta).755708.exe
File created	C:\Program Files (x86)\UDL\Client\3.6.30.416\pylibs\winsound.pyd	NoEscape.exe (Creepypasta).755708.exe
File created	C:\Program Files (x86)\UDL\Client\3.6.30.416\pylibs\_elementtree.pyd	NoEscape.exe (Creepypasta).755708.exe
File opened for modification	C:\Program Files (x86)\UDL\Client\3.6.30.416\api-ms-win-core-file-l1-1-0.dll	NoEscape.exe (Creepypasta).755708.exe
File created	C:\Program Files (x86)\UDL\Visit unidownloader.com.lnk	NoEscape.exe (Creepypasta).755708.exe
File created	C:\Program Files\Avanquest\Adaware Antivirus\traffic-interceptor\1.0.3.62\bddci.cat	msiexec.exe
File created	C:\Program Files\Avanquest\Adaware Antivirus\traffic-interceptor\1.0.3.62\bdnc.ini	msiexec.exe
File created	C:\Program Files (x86)\UDL\Client\3.6.30.416\api-ms-win-core-datetime-l1-1-0.dll	NoEscape.exe (Creepypasta).755708.exe
File created	C:\Program Files (x86)\UDL\Client\3.6.30.416\api-ms-win-core-profile-l1-1-0.dll	NoEscape.exe (Creepypasta).755708.exe
File created	C:\Program Files (x86)\UDL\Client\3.6.30.416\api-ms-win-core-file-l2-1-0.dll	NoEscape.exe (Creepypasta).755708.exe
File created	C:\Program Files\Avanquest\Adaware Antivirus\application\14.3.43577.3505\msvcp140_1.dll	msiexec.exe
File created	C:\Program Files\Avanquest\Adaware Antivirus\application\14.3.43577.3505\zlib1.dll	msiexec.exe
File created	C:\Program Files\Avanquest\Adaware Antivirus\application\14.3.43577.3505\real_time_protection_history.dll	msiexec.exe
File created	C:\Program Files (x86)\UDL\Client\3.6.30.416\api-ms-win-crt-string-l1-1-0.dll	NoEscape.exe (Creepypasta).755708.exe
File created	C:\Program Files (x86)\UDL\Client\3.6.30.416\api-ms-win-core-util-l1-1-0.dll	NoEscape.exe (Creepypasta).755708.exe
File opened for modification	C:\Program Files (x86)\UDL\Client\3.6.30.416\pylibs\_zoneinfo.pyd	NoEscape.exe (Creepypasta).755708.exe
File created	C:\Program Files (x86)\UDL\Client\3.6.30.416\ffprobe.exe	NoEscape.exe (Creepypasta).755708.exe
File created	C:\Program Files (x86)\UDL\Client\3.6.30.416\urls-regexes-black.json	UDL-client.exe
File opened for modification	C:\Program Files (x86)\UDL\Client\3.6.30.416\api-ms-win-core-sysinfo-l1-1-0.dll	NoEscape.exe (Creepypasta).755708.exe
File opened for modification	C:\Program Files (x86)\UDL\Client\3.6.30.416\api-ms-win-core-synch-l1-1-0.dll	NoEscape.exe (Creepypasta).755708.exe
File opened for modification	C:\Program Files (x86)\UDL\Client\3.6.30.416\libwebp.dll	NoEscape.exe (Creepypasta).755708.exe
File created	C:\Program Files\Avanquest\Adaware Antivirus\application\14.3.43577.3505\bz2.dll	msiexec.exe
File created	C:\Program Files\Avanquest\Adaware Antivirus\application\14.3.43577.3505\installer.exe	msiexec.exe
File created	C:\Program Files\Avanquest\Adaware Antivirus\application\14.3.43577.3505\geoip.dll	msiexec.exe
File created	C:\Program Files\Avanquest\Adaware Antivirus\application\14.3.43577.3505\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Program Files\Avanquest\Adaware Antivirus\active-threat-control\1.58.364.0\atc.inf	msiexec.exe
File created	C:\Program Files (x86)\UDL\Client\3.6.30.416\pylibs\_uuid.pyd	NoEscape.exe (Creepypasta).755708.exe
File created	C:\Program Files (x86)\UDL\Client\3.6.30.416\ffmpeg.exe	NoEscape.exe (Creepypasta).755708.exe
File opened for modification	C:\Program Files (x86)\UDL\Client\3.6.30.416\api-ms-win-crt-stdio-l1-1-0.dll	NoEscape.exe (Creepypasta).755708.exe
File created	C:\Program Files\Avanquest\Adaware Antivirus\application\14.3.43577.3505\boost_locale-vc143-mt-x64-1_78.dll	msiexec.exe
File created	C:\Program Files\Avanquest\Adaware Antivirus\application\14.3.43577.3505\crash-handler.exe	msiexec.exe
File created	C:\Program Files\Avanquest\Adaware Antivirus\active-threat-control\1.58.364.0\atc.sys	msiexec.exe
File created	C:\Program Files\Avanquest\Adaware Antivirus\traffic-interceptor\1.0.3.62\bittorrent.dll	msiexec.exe
File created	C:\Program Files\Avanquest\Adaware Antivirus\antimalware\3.0.1.297\bdarw.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\UDL\Client\3.6.30.416\pylibs\_bz2.pyd	NoEscape.exe (Creepypasta).755708.exe
File opened for modification	C:\Program Files (x86)\UDL\Client\3.6.30.416\pylibs\python3.dll	NoEscape.exe (Creepypasta).755708.exe
File opened for modification	C:\Program Files (x86)\UDL\Client\3.6.30.416\dbxadapter.dll	NoEscape.exe (Creepypasta).755708.exe
File opened for modification	C:\Program Files (x86)\UDL\Client\3.6.30.416\api-ms-win-core-interlocked-l1-1-0.dll	NoEscape.exe (Creepypasta).755708.exe
File created	C:\Program Files\Avanquest\Adaware Antivirus\application\14.3.43577.3505\concrt140.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\UDL\Client\3.6.30.416\pylibs\sqlite3.dll	NoEscape.exe (Creepypasta).755708.exe
File created	C:\Program Files\Avanquest\Adaware Antivirus\application\14.3.43577.3505\rpc_server.dll	msiexec.exe
File created	C:\Program Files\Avanquest\Adaware Antivirus\antimalware\3.0.1.297\bdsmartdb.dll	msiexec.exe
File created	C:\Program Files (x86)\UDL\Client\3.6.30.416\pylibs\_hashlib.pyd	NoEscape.exe (Creepypasta).755708.exe
File created	C:\Program Files (x86)\UDL\Client\scanObject.json	NoEscape.exe (Creepypasta).755708.exe
File created	C:\Program Files\Avanquest\Adaware Antivirus\application\14.3.43577.3505\privacy_manager.dll	msiexec.exe
File created	C:\Program Files (x86)\UDL\Client\3.6.30.416\api-ms-win-crt-heap-l1-1-0.dll	NoEscape.exe (Creepypasta).755708.exe
File created	C:\Program Files\Avanquest\Adaware Antivirus\active-threat-control\1.58.364.0\bdnc.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\UDL\Client\3.6.30.416\api-ms-win-core-heap-l1-1-0.dll	NoEscape.exe (Creepypasta).755708.exe
File opened for modification	C:\Program Files (x86)\UDL\Client\3.6.30.416\api-ms-win-crt-private-l1-1-0.dll	NoEscape.exe (Creepypasta).755708.exe

Drops file in Windows directory 48 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5e8ef0.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF03F.tmp	msiexec.exe
File created	C:\Windows\Installer\e5e8efa.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6CA6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5e8f09.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7BDA.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{222563E9-869E-49DC-B33C-F99AA713E9D5}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA180.tmp	msiexec.exe
File created	C:\Windows\Installer\e5e8ef4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5e8ef5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5e8eff.msi	msiexec.exe
File created	C:\Windows\Installer\e5e8f03.msi	msiexec.exe
File created	C:\Windows\Installer\e5e8f0d.msi	msiexec.exe
File created	C:\Windows\Installer\e5e8f0e.msi	msiexec.exe
File created	C:\Windows\Installer\e5e8ef5.msi	msiexec.exe
File created	C:\Windows\Installer\e5e8eff.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5e8f04.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{BC8F1D7B-0C34-4B3F-9F08-D9E914AD1C0C}	msiexec.exe
File created	C:\Windows\Installer\e5e8f13.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA121.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB4CB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2569.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6EBA.tmp	msiexec.exe
File created	C:\Windows\Installer\e5e8f12.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI494E.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{BDD3EEB2-E66E-4EF5-9C86-F20CE0819BDE}	msiexec.exe
File opened for modification	C:\Windows\Installer\e5e8ef0.msi	msiexec.exe
File created	C:\Windows\Installer\{222563E9-869E-49DC-B33C-F99AA713E9D5}\DesktopIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\{222563E9-869E-49DC-B33C-F99AA713E9D5}\DesktopIcon	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2021C880-4033-4623-90C7-5923215E3872}	msiexec.exe
File created	C:\Windows\Installer\e5e8ef9.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5C77AB5F-E4C3-434E-A7AE-000811DEF13D}	msiexec.exe
File created	C:\Windows\Installer\e5e8f09.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9128.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5e8f13.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI95C6.tmp	msiexec.exe
File created	C:\Windows\Installer\e5e8efe.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e5e8f08.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D7FC57A7-50F9-4372-A4A2-ACA9CB2D8F18}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA569.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5e8efa.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{215A8F88-68B9-4894-BC8D-0E660E7C2424}	msiexec.exe
File created	C:\Windows\Installer\e5e8f04.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5e8f0e.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000840d5e5e83918180000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000840d5e50000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff0000000007000100006809000840d5e5000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff0000000007000100006809190840d5e5000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000840d5e500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5884	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5E1ABEA1-1F41-11EE-AF62-CE28E34818EB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Modifies data under HKEY_USERS 59 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\GrpConv	grpconv.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\20	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	runonce.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133334812288629786"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = fb9a790967add111abcd00c04fc309366e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\GrpConv	grpconv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	runonce.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = fb9a790967add111abcd00c04fc309366e0000006024b221ea3a6910a2dc08002b30309dda000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	runonce.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\24	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\GrpConv	grpconv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	runonce.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	runonce.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	runonce.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = fb9a790967add111abcd00c04fc309366e0000006024b221ea3a6910a2dc08002b30309dda000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\GrpConv	Conhost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = fb9a790967add111abcd00c04fc309366e0000006024b221ea3a6910a2dc08002b30309dda000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\21	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\21	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\GrpConv	grpconv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = fb9a790967add111abcd00c04fc309366e0000006024b221ea3a6910a2dc08002b30309dda000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	runonce.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = fb9a790967add111abcd00c04fc309366e0000006024b221ea3a6910a2dc08002b30309dda000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	runonce.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\088C120233043264097C953212E58327	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F5BA77C53C4EE4347AEA008011ED1FD3\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\88F8A5129B864984CBD8E066E0C74242\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2BEE3DDBE66E5FE4C9682FC00E18B9ED\SourceList\Net\1 = "C:\\ProgramData\\Avanquest\\Adaware Antivirus\\msi-cache\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\adaware-ss\URL Protocol	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\088C120233043264097C953212E58327\Antimalware	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\088C120233043264097C953212E58327\ProductName = "antimalware"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\088C120233043264097C953212E58327\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\088C120233043264097C953212E58327\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5C0FBFD8ADE69454197540E9AA39D137\F5BA77C53C4EE4347AEA008011ED1FD3	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\EA17D3B580656644099CDEC539DE7F57	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2BEE3DDBE66E5FE4C9682FC00E18B9ED	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E365222E968CD943BC39FA97A319E5D\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7A75CF7D9F0527344A2ACA9ABCD2F881\Firewall	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7D1F8CB43C0F3B4F9809D9E41DAC1C0\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F5BA77C53C4EE4347AEA008011ED1FD3\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2BEE3DDBE66E5FE4C9682FC00E18B9ED\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7D1F8CB43C0F3B4F9809D9E41DAC1C0\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7A75CF7D9F0527344A2ACA9ABCD2F881\ProductName = "firewall"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7A75CF7D9F0527344A2ACA9ABCD2F881\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Avanquest\\Adaware Antivirus\\msi-cache\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\adaware-ss\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E365222E968CD943BC39FA97A319E5D\ProductName = "Adaware Antivirus"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\088C120233043264097C953212E58327\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Avanquest\\Adaware Antivirus\\msi-cache\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\88F8A5129B864984CBD8E066E0C74242\ProductName = "active-threat-control"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\88F8A5129B864984CBD8E066E0C74242\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2BEE3DDBE66E5FE4C9682FC00E18B9ED	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7D1F8CB43C0F3B4F9809D9E41DAC1C0\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7D1F8CB43C0F3B4F9809D9E41DAC1C0\SourceList\PackageName = "bebacb0c-344e-4008-89e2-d6abea2f3d0f.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\adaware-ss\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\633C34A3C1CE94B41B598940E5D74BE3\7A75CF7D9F0527344A2ACA9ABCD2F881	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\EA17D3B580656644099CDEC539DE7F57\88F8A5129B864984CBD8E066E0C74242	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B7D1F8CB43C0F3B4F9809D9E41DAC1C0\TrafficInterceptor	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E365222E968CD943BC39FA97A319E5D\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\088C120233043264097C953212E58327\SourceList\Net\1 = "C:\\ProgramData\\Avanquest\\Adaware Antivirus\\msi-cache\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\088C120233043264097C953212E58327\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\88F8A5129B864984CBD8E066E0C74242	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7A75CF7D9F0527344A2ACA9ABCD2F881\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\088C120233043264097C953212E58327	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\adaware-ss\shell	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E365222E968CD943BC39FA97A319E5D\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\088C120233043264097C953212E58327\OnAccess	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\088C120233043264097C953212E58327\AdvertiseFlags = "388"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\88F8A5129B864984CBD8E066E0C74242\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7D1F8CB43C0F3B4F9809D9E41DAC1C0\PackageCode = "555A189F55B77AF43B3F96B8BB9BCBCC"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\adaware-ss	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\088C120233043264097C953212E58327\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C79ED1DDFB8DB8543A1ADFAE93B02BC6	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\88F8A5129B864984CBD8E066E0C74242\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E365222E968CD943BC39FA97A319E5D\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\088C120233043264097C953212E58327\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\88F8A5129B864984CBD8E066E0C74242\ActiveThreatControl	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\88F8A5129B864984CBD8E066E0C74242\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\88F8A5129B864984CBD8E066E0C74242\SourceList\Net\1 = "C:\\ProgramData\\Avanquest\\Adaware Antivirus\\msi-cache\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7D1F8CB43C0F3B4F9809D9E41DAC1C0\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Avanquest\\Adaware Antivirus\\msi-cache\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7A75CF7D9F0527344A2ACA9ABCD2F881\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7A75CF7D9F0527344A2ACA9ABCD2F881\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\088C120233043264097C953212E58327\Antirootkit	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E365222E968CD943BC39FA97A319E5D\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C79ED1DDFB8DB8543A1ADFAE93B02BC6\088C120233043264097C953212E58327	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2BEE3DDBE66E5FE4C9682FC00E18B9ED\Version = "16777218"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0C7CADC98555ABC4EABD998BA3E9EE25\2BEE3DDBE66E5FE4C9682FC00E18B9ED	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7A75CF7D9F0527344A2ACA9ABCD2F881\SourceList\Net\1 = "C:\\ProgramData\\Avanquest\\Adaware Antivirus\\msi-cache\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\adaware-ss	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E365222E968CD943BC39FA97A319E5D	msiexec.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	adawarewebinstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	adawarewebinstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	adawarewebinstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	adawarewebinstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	adawarewebinstaller.exe

Runs net.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	440	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4156	chrome.exe
4156	chrome.exe
4536	chrome.exe
4536	chrome.exe
5652	adawarewebinstaller.exe
5652	adawarewebinstaller.exe
1960	chrome.exe
1960	chrome.exe
4752	msiexec.exe
4752	msiexec.exe
4752	msiexec.exe
4752	msiexec.exe
4752	msiexec.exe
4752	msiexec.exe
4752	msiexec.exe
4752	msiexec.exe
4752	msiexec.exe
4752	msiexec.exe
4752	msiexec.exe
4752	msiexec.exe
2244	chrome.exe
2244	chrome.exe
4752	msiexec.exe
4752	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe
Token: SeShutdownPrivilege	4156	chrome.exe
Token: SeCreatePagefilePrivilege	4156	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
808	iexplore.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe
4880	UDL-client.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
808	iexplore.exe
808	iexplore.exe
4244	IEXPLORE.EXE
4244	IEXPLORE.EXE
4880	UDL-client.exe
4880	UDL-client.exe
5652	adawarewebinstaller.exe
5652	adawarewebinstaller.exe
5652	adawarewebinstaller.exe
5652	adawarewebinstaller.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 4244	808	iexplore.exe	87
PID 808 wrote to memory of 4244	808	iexplore.exe	87
PID 808 wrote to memory of 4244	808	iexplore.exe	87
PID 4156 wrote to memory of 4012	4156	chrome.exe	93
PID 4156 wrote to memory of 4012	4156	chrome.exe	93
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 3212	4156	chrome.exe	95
PID 4156 wrote to memory of 4780	4156	chrome.exe	96
PID 4156 wrote to memory of 4780	4156	chrome.exe	96
PID 4156 wrote to memory of 2224	4156	chrome.exe	97
PID 4156 wrote to memory of 2224	4156	chrome.exe	97
PID 4156 wrote to memory of 2224	4156	chrome.exe	97
PID 4156 wrote to memory of 2224	4156	chrome.exe	97
PID 4156 wrote to memory of 2224	4156	chrome.exe	97
PID 4156 wrote to memory of 2224	4156	chrome.exe	97
PID 4156 wrote to memory of 2224	4156	chrome.exe	97
PID 4156 wrote to memory of 2224	4156	chrome.exe	97
PID 4156 wrote to memory of 2224	4156	chrome.exe	97
PID 4156 wrote to memory of 2224	4156	chrome.exe	97
PID 4156 wrote to memory of 2224	4156	chrome.exe	97
PID 4156 wrote to memory of 2224	4156	chrome.exe	97
PID 4156 wrote to memory of 2224	4156	chrome.exe	97
PID 4156 wrote to memory of 2224	4156	chrome.exe	97
PID 4156 wrote to memory of 2224	4156	chrome.exe	97
PID 4156 wrote to memory of 2224	4156	chrome.exe	97
PID 4156 wrote to memory of 2224	4156	chrome.exe	97
PID 4156 wrote to memory of 2224	4156	chrome.exe	97
PID 4156 wrote to memory of 2224	4156	chrome.exe	97

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://google
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:808
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:808 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc8dc99758,0x7ffc8dc99768,0x7ffc8dc99778
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:2
  2⤵
  PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3244 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3284 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3808 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4736 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4876 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5184 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:4244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3316 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3268 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3256 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2684 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1828 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=1860 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4508 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4560 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3960 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6180 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6164 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5784 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=6132 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=6108 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=3420 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5560 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=1052 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=5604 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=3732 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=5860 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5544 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=6168 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=6468 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=6052 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5116 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6764 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2508 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=5676 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=6428 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:1004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5668 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5960 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=5720 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=6632 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=7032 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=6592 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6748 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2336 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=5720 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=6228 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=5892 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6708 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=7232 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=59 --mojo-platform-channel-handle=7528 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7300 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:3568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3532 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=60 --mojo-platform-channel-handle=7696 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=67 --mojo-platform-channel-handle=8096 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=66 --mojo-platform-channel-handle=8084 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=65 --mojo-platform-channel-handle=7952 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=64 --mojo-platform-channel-handle=7928 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=63 --mojo-platform-channel-handle=7912 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=62 --mojo-platform-channel-handle=7896 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=61 --mojo-platform-channel-handle=7868 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=68 --mojo-platform-channel-handle=8888 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:5612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=72 --mojo-platform-channel-handle=7668 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:5652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=74 --mojo-platform-channel-handle=5360 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:5684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=73 --mojo-platform-channel-handle=3492 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:5676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=71 --mojo-platform-channel-handle=6368 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:5644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=70 --mojo-platform-channel-handle=8064 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:5636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=69 --mojo-platform-channel-handle=6084 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:5628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=78 --mojo-platform-channel-handle=10168 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=77 --mojo-platform-channel-handle=10136 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:5764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=79 --mojo-platform-channel-handle=10412 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=76 --mojo-platform-channel-handle=9888 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:5768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=75 --mojo-platform-channel-handle=9876 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=80 --mojo-platform-channel-handle=11132 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=10992 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=11128 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10656 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=84 --mojo-platform-channel-handle=10636 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:5540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8536 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8508 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:8
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=87 --mojo-platform-channel-handle=9788 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=88 --mojo-platform-channel-handle=8084 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=89 --mojo-platform-channel-handle=4816 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=90 --mojo-platform-channel-handle=11336 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=91 --mojo-platform-channel-handle=7412 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:6912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=92 --mojo-platform-channel-handle=8376 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:6576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=93 --mojo-platform-channel-handle=8676 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:6880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=94 --mojo-platform-channel-handle=9416 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=95 --mojo-platform-channel-handle=9460 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=96 --mojo-platform-channel-handle=9400 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=100 --mojo-platform-channel-handle=8280 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:5860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=101 --mojo-platform-channel-handle=9940 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=99 --mojo-platform-channel-handle=8292 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:5840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=98 --mojo-platform-channel-handle=8304 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:5852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=97 --mojo-platform-channel-handle=8220 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:5836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=102 --mojo-platform-channel-handle=11312 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:6404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=103 --mojo-platform-channel-handle=8652 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:6132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=104 --mojo-platform-channel-handle=10004 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:6484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=105 --mojo-platform-channel-handle=4452 --field-trial-handle=1920,i,11033175911681545093,6901868866317323687,131072 /prefetch:1
  2⤵
  PID:4048

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3392

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518 0x50c
1⤵
PID:1920

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1368

C:\Users\Admin\Downloads\NoEscape.exe (Creepypasta).755708.exe
"C:\Users\Admin\Downloads\NoEscape.exe (Creepypasta).755708.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2860
- C:\Program Files (x86)\UDL\Client\ClientLauncher.exe
  "C:\Program Files (x86)\UDL\Client\ClientLauncher.exe" /from=installer -f "C:\Users\Admin\AppData\Roaming\UDL\Bundle.json"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2800
- - C:\Program Files (x86)\UDL\Client\3.6.30.416\UDL-client.exe
    "C:\Program Files (x86)\UDL\Client\3.6.30.416\UDL-client.exe" /from=installer -f C:\Users\Admin\AppData\Roaming\UDL\Bundle.json
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:6872
  - - C:\Program Files (x86)\UDL\Client\3.6.30.416\ffprobe.exe
      ffprobe -loglevel error -hide_banner -stats -i "C:\Users\Admin\Downloads\UDL Downloads\tmp\NoEscape.exe (Creepypasta)(22) [720p].mp4" -of default=noprint_wrappers=0 -print_format flat -show_entries stream=codec_type,codec_name,format_name,codec_tag_string,coded_width,coded_height,r_frame_rate,pix_fmt,bit_rate,duration
      4⤵
      Executes dropped EXE
      PID:6980
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5776
- - C:\Program Files (x86)\UDL\Client\ClientLauncher.exe
    "C:\Program Files (x86)\UDL\Client\ClientLauncher.exe" -module=Updater -path=..\Updater -check
    3⤵
    PID:4176
  - - C:\Program Files (x86)\UDL\Updater\3.1.26.1433\Updater.exe
      "C:\Program Files (x86)\UDL\Updater\3.1.26.1433\Updater.exe" -check
      4⤵
      Executes dropped EXE
      PID:4936
- C:\Program Files (x86)\UDL\Updater\UpdaterLauncher.exe
  "C:\Program Files (x86)\UDL\Updater\UpdaterLauncher.exe" /host="C:\Program Files (x86)\UDL\Updater\UpdaterLauncher.exe" /add-startup /check
  2⤵
  - Executes dropped EXE
  PID:2216

C:\Users\Admin\Desktop\adawarewebinstaller.exe
"C:\Users\Admin\Desktop\adawarewebinstaller.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://paygw.adaware.com/redirect/custom/adaware-14?customValue=thank-you&cmp=&culture=en&gtm=gtm-ts85dt8&key1=&key2=&keyb=&lang=&mkey1=&mkey2=17425d2b-5037-4a23-afc5-678bef5fce6d&mkey4=&mkey5=&mkey6=&mkey7=&mkey9=&qti=&ref=&uid=1019613&visitorid=&wid=8159
  2⤵
  PID:5136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc841946f8,0x7ffc84194708,0x7ffc84194718
    3⤵
    PID:5192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,12366132296843102632,16919736757597512446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
    3⤵
    PID:7012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,12366132296843102632,16919736757597512446,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
    3⤵
    PID:4804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,12366132296843102632,16919736757597512446,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
    3⤵
    PID:2832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12366132296843102632,16919736757597512446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
    3⤵
    PID:1100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12366132296843102632,16919736757597512446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
    3⤵
    PID:6632

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4752
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2440
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B215AA6C5A482C4D3D3734A9855535D0
  2⤵
  - Loads dropped DLL
  PID:6736
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /F /IM "Adaware Antivirus.exe"
    3⤵
    - Kills process with taskkill
    PID:5884
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 508D7133F791278A8E09D0913C040414
  2⤵
  - Loads dropped DLL
  PID:1952
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 5998A13ADE145179A0BDA1822A7724AC E Global\MSI0000
  2⤵
  - Sets service image path in registry
  - Loads dropped DLL
  PID:7044
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" advpack.dll,LaunchINFSection .\elamtd.inf,,3,N
    3⤵
    - Drops file in Drivers directory
    PID:5492
- C:\Windows\system32\rundll32.exe
  rundll32.exe syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Program Files\Avanquest\Adaware Antivirus\antimalware\3.0.1.297\\trufos.inf
  2⤵
  - Drops file in Drivers directory
  - Adds Run key to start application
  PID:3888
- - C:\Windows\system32\runonce.exe
    "C:\Windows\system32\runonce.exe" -r
    3⤵
    - Checks processor information in registry
    - Modifies data under HKEY_USERS
    PID:2748
  - - C:\Windows\System32\grpconv.exe
      "C:\Windows\System32\grpconv.exe" -o
      4⤵
      Modifies data under HKEY_USERS
      PID:1956
- C:\Windows\system32\rundll32.exe
  rundll32.exe setupapi, InstallHinfSection DefaultInstall 128 C:\Program Files\Avanquest\Adaware Antivirus\antimalware\3.0.1.297\\gzflt.inf
  2⤵
  - Drops file in Drivers directory
  - Adds Run key to start application
  PID:5124
- - C:\Windows\system32\runonce.exe
    "C:\Windows\system32\runonce.exe" -r
    3⤵
    - Checks processor information in registry
    - Modifies data under HKEY_USERS
    PID:5440
  - - C:\Windows\System32\grpconv.exe
      "C:\Windows\System32\grpconv.exe" -o
      4⤵
      Modifies data under HKEY_USERS
      PID:3156
- C:\Windows\system32\rundll32.exe
  rundll32.exe syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Program Files\Avanquest\Adaware Antivirus\active-threat-control\1.58.364.0\\atc.inf
  2⤵
  - Drops file in Drivers directory
  - Adds Run key to start application
  PID:4204
- - C:\Windows\system32\runonce.exe
    "C:\Windows\system32\runonce.exe" -r
    3⤵
    - Checks processor information in registry
    - Modifies data under HKEY_USERS
    PID:6512
  - - C:\Windows\System32\grpconv.exe
      "C:\Windows\System32\grpconv.exe" -o
      4⤵
      Modifies data under HKEY_USERS
      PID:6152
- C:\Windows\system32\rundll32.exe
  rundll32.exe syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Program Files\Avanquest\Adaware Antivirus\traffic-interceptor\1.0.3.62\\bddci.inf
  2⤵
  - Drops file in Drivers directory
  - Adds Run key to start application
  PID:4100
- - C:\Windows\system32\runonce.exe
    "C:\Windows\system32\runonce.exe" -r
    3⤵
    - Checks processor information in registry
    - Modifies data under HKEY_USERS
    PID:2424
  - - C:\Windows\System32\grpconv.exe
      "C:\Windows\System32\grpconv.exe" -o
      4⤵
      PID:6812
- C:\Windows\system32\rundll32.exe
  rundll32.exe syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Program Files\Avanquest\Adaware Antivirus\firewall\3.0.0.34\\ignis.inf
  2⤵
  - Drops file in Drivers directory
  - Adds Run key to start application
  PID:1364
- - C:\Windows\system32\runonce.exe
    "C:\Windows\system32\runonce.exe" -r
    3⤵
    - Checks processor information in registry
    - Modifies data under HKEY_USERS
    PID:3860
  - - C:\Windows\System32\grpconv.exe
      "C:\Windows\System32\grpconv.exe" -o
      4⤵
      Modifies data under HKEY_USERS
      PID:912
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding C6D1F996B750294F78E871AD9E36131C
  2⤵
  PID:2268
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E05DEB53476140A09E02854A922E7D42
  2⤵
  PID:6284
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 038CA8EF337B0561B51D11ED89117AB1 E Global\MSI0000
  2⤵
  PID:1980
- - C:\Windows\System32\netsh.exe
    netsh interface set interface name="Local Area Connection" newname="Adaware Antivirus TAP-Windows6"
    3⤵
    PID:2884
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Modifies data under HKEY_USERS
      PID:6812
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 02B3902D62B33A7A719F37B827AFAE9F E Global\MSI0000
  2⤵
  PID:7080

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:6700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc8dc99758,0x7ffc8dc99768,0x7ffc8dc99778
  2⤵
  PID:1420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:8
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:2
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:8
  2⤵
  PID:6916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3244 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:1
  2⤵
  PID:5524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3228 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:1
  2⤵
  PID:7132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4548 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4668 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:8
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4820 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:8
  2⤵
  PID:5520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:8
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5244 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:1
  2⤵
  PID:6496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4888 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3232 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:1
  2⤵
  PID:6140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:8
  2⤵
  PID:6720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5208 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:1
  2⤵
  PID:5424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2508 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1780 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:8
  2⤵
  PID:5960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5884 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:1
  2⤵
  PID:6948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3508 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:1
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=6028 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:1
  2⤵
  PID:6356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4572 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:8
  2⤵
  PID:6468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4520 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5868 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:1
  2⤵
  PID:5184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=6120 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5896 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=4636 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=3448 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:1
  2⤵
  PID:6560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:8
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=3340 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4512 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:8
  2⤵
  PID:5316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5344 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:8
  2⤵
  PID:5820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5744 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:8
  2⤵
  PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=5740 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=5684 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=3364 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:1
  2⤵
  PID:6784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=5604 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:1
  2⤵
  PID:5796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6324 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:8
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=3296 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6676 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:8
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=6312 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=5748 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:1
  2⤵
  PID:5500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=6664 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6852 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:8
  2⤵
  PID:5460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6848 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6860 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:8
  2⤵
  PID:6256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4548 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:8
  2⤵
  PID:5640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2948 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:8
  2⤵
  PID:6124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=6312 --field-trial-handle=1800,i,4123367921396580332,10447454086564791072,131072 /prefetch:1
  2⤵
  PID:1768

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5072

C:\Program Files\Avanquest\Adaware Antivirus\elam\1.0.2.0\wsc-service.exe
"C:\Program Files\Avanquest\Adaware Antivirus\elam\1.0.2.0\wsc-service.exe"
1⤵
- Executes dropped EXE
PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
PID:772
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Windows\Temp\13cfda52880bbe23c8071ff55a18ba7444fbd0109a379717fd58a63dcf18aed4\OemVista.inf" "9" "4e44e4853" "000000000000014C" "WinSta0\Default" "0000000000000164" "208" "C:\Windows\Temp\13cfda52880bbe23c8071ff55a18ba7444fbd0109a379717fd58a63dcf18aed4"
  2⤵
  PID:5904
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "11" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:root\tap0901," "42b53aaff" "000000000000014C"
  2⤵
  PID:4804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:4568

C:\Program Files\Avanquest\Adaware Antivirus\application\14.3.43577.3505\Adaware Antivirus Service.exe
"C:\Program Files\Avanquest\Adaware Antivirus\application\14.3.43577.3505\Adaware Antivirus Service.exe"
1⤵
PID:6036
- C:\Windows\system32\net.exe
  "C:\Windows\system32\net.exe" start bddci
  2⤵
  PID:1648
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start bddci
    3⤵
    PID:392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2548

C:\Program Files\Avanquest\Adaware Antivirus\application\14.3.43577.3505\Adaware Antivirus.exe
"C:\Program Files\Avanquest\Adaware Antivirus\application\14.3.43577.3505\Adaware Antivirus.exe"
1⤵
PID:6868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery